Compliance Watch

The lack of a comprehensive federal law regarding data privacy has caused many states to begin drafting and implementing their own laws. Below we will focus on three states that have already signed into law privacy laws that will go in effect in 2023.

California

California Privacy Rights Act (“CPRA”) inches closer to its effective date of January 1, 2023 (with enforcement scheduled to begin six months later). The new California Privacy Protection Agency (“CPPA”) has begun holding regular public meetings.  The CPPA’s chair and board members were appointed in March, and the tasks ahead are substantial:  the board is charged with writing and revising a slew of new regulations to implement the sweeping privacy law under the pioneering agency’s purview, before it turns to enforcing them.  At the CPPA’s recent meetings, board members have discussed the agency’s goals and the steps they have taken to launch the new agency.

Even though the CPRA does not come into effect until January 2023, the CPRA will give consumers the right to request access to personal information collected on or after January 1, 2022, and for any personal information collected from January 1, 2023 forward, the CPRA may give consumers the right to request their historical information beyond the CCPA’s 12-month look back.  Companies should start thinking about how to collect and store personal information in a way that will allow them to respond to such a request (if such information is indeed subject to the right), and begin analyzing how new rights such as the right to limit the use of sensitive personal information, right to opt out of sharing, and right of employees to the same protections, may apply to your business.  In particular, the distinction between personal information and sensitive personal information may affect how information should be collected and stored.

In light of changes to service provider and contractor requirements, transparency and disclosure requirements (including relating to data subject rights), retention limitation requirements, and additional changes in the CPRA, it is a good time to start reviewing vendor contracts, privacy statements, data retention practices and policies, and other privacy-related documents.

CPRA extended until January 1, 2023, exemptions in the CCPA for business-to-business and employment-related data.  To the extent companies have avoided bringing those categories of data into compliance so far, they may want to revisit those decisions as the exemptions near their end.

Given that CCPA will continue to be enforceable until July 1, 2023, and the roll-out of regulations over the course of 2020 may have left some with outdated compliance programs that should be updated, it is a good time to revisit that compliance as well.

Rulemaking will clarify certain requirements.  Companies should therefore be prepared to modify certain aspects of their compliance programs as those rules take shape

Virginia

On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“VCDPA”) into law. Virginia is only the second state to enact a comprehensive state privacy law, following California, yet its substance draws from both California’s laws—the California Consumer Privacy Act (“CCPA”), and the newly enacted California Privacy Rights and Enforcement Act (“CPRA”)—and a number of recently proposed state privacy bills.  The Virginia legislature, however, is the first to enact such a law of its own accord – the California Legislature enacted the CCPA to preempt a ballot initiative in 2018 (and the CPRA was passed as a ballot initiative by California voters).

The VCDPA, which will go into effect on January 1, 2023, still differs from other enacted or proposed comprehensive state privacy laws in important respects, and companies doing business in Virginia or marketing to Virginians will need to reassess their collection and use of consumer personal information and modify their compliance efforts accordingly.  The VCDPA will grant Virginia residents the rights to access, correct, delete, know, and opt-out of the sale and processing for targeted advertising purposes of their personal information, similar to the CCPA and CPRA.  However, the VCDPA departs from its California counterparts and aligns with the European Union’s General Data Protection Regulation (“GDPR”) in a few key respects, including with respect to the adoption of data protection assessment requirements, and “controller” and “processor” terminology.  The VCDPA also departs from the CCPA and CPRA by leaving enforcement entirely up to the Attorney General and not providing even a private right of action for consumers.

Colorado

On July 7, 2021, Colorado Governor Jared Polis signed into law the Colorado Privacy Act (“CPA”), making Colorado the third state to pass comprehensive consumer privacy legislation, following California and Virginia.

The CPA will go into effect on July 1, 2023. In many ways, the CPA is similar—but not identical—to the models set out by its California and Virginia predecessors the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Enforcement Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”).  The CPA will grant Colorado residents the right to access, correct, and delete the personal data held by organizations subject to the law.  It also will give Colorado residents the right to opt-out of the processing of their personal data for purposes of targeted advertising, sale of their personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects on the consumer.  In ensuring that they are prepared to comply with the CPA, many companies should be able to build upon the compliance measures they have developed for the California and Virginia laws to a significant extent.

The CPA does, however, contain a few notable distinctions when compared to its California and Virginia counterparts.  First, the CPA applies to nonprofit entities that meet certain thresholds described more fully below, whereas the California and Virginia laws exempt nonprofit organizations.  Similar to the VCDPA and unlike the CPRA—the California law slated to replace the CCPA in 2023—the CPA does not apply to employee or business-to-business data.  Like the VCDPA, the CPA will not provide a private right of action. Instead, it is enforceable only by the Colorado Attorney General or state district attorneys.  The laws in all three states differ with respect to the required process for responding to a consumer privacy request and the applicable exceptions for responding to such requests.

Finally, in addition to adopting certain terminology such as “personal data,” “controller” and “processor,” most commonly used in privacy legislation outside the United States, the CPA applies certain obligations modeled after the European Union’s General Data Protection Regulation (“GDPR”), including the requirement to conduct data protection assessments.  Further, the CPA imposes certain obligations on data processors, including requirements to assist the controller in meeting its obligations under the statute and to provide the controller with audit rights, deletion rights, and the ability to object to subprocessors.  Companies that have undergone GDPR compliance work thus will have a leg up with respect to these obligations.